OpenID v.Next Core Protocol Charter
SitG Admin
sysadmin at shadowsinthegarden.com
Mon May 24 04:50:42 UTC 2010
>What is Facebook could send a message logging out users from Google
>and Microsoft without the users consent?
I see an identity correlation attack where the OP is offering
anonymous Identities as requested but the user is not availing
themselves of this for any non-secure site: if you want to test
whether a user of site B (insecure, non-anonymous Identity) is also
currently active on site A (secure) as an anonymous user, keep the
session active and then suddenly initiate single-sign-out from A,
seeing if the activity on B also ceases.
-Shade
More information about the specs
mailing list